Non-Technical/Non-Vendor Security Certifications

By Lawrence C. Miller, Peter H. Gregory

Many other certifications besides the Certified Information Systems Security Professional (CISSP) credential are available that are not tied to specific hardware or software vendors. Some of the better ones include

  • CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on. The Information Systems Audit and Control Association and Foundation (ISACA) manages this certification.
  • CISM (Certified Information Security Manager): Similar to (ISC)2‘s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations,” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification.
  • CRISC (Certified in Risk and Information Systems Control): This is a relatively new certification that concentrates on organization risk management.
  • CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization definitely depends on governance, which involves the management and control of resources to meet long-term objectives.
  • CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International. The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.
  • PSP (Physical Security Professional): ASIS International also offers this certification, which caters to those professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems.
  • CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection.
  • CCISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position.
  • CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute.
  • DRCE (Disaster Recovery Certified Expert): This certification is a recognition of knowledge and experience in disaster recovery planning.
  • PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute offers this certification.
  • PCI-QSA (Payment Card Industry Qualified Security Assessor): The Payment Card Industry Security Standards Council developed the QSA certification for professionals who audit organizations that store, transmit, or process credit card data. This certification is for PCI auditors.
  • PCI-ISA (Payment Card Industry Internal Security Assessor): This certification, also from The Payment Card Industry Security Standards Council, is for security professionals within organizations that store, transmit, or process cardholder data.
  • GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. One of the GIAC non-vendor-specific certifications that complement CISSP is the GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH).